The final Law Update of 2022 is here, and it’s packed full of articles. The double edition features two focus areas, first is a spotlight on Energy and Resources and second we feature a collection of articles on Transport and Logistics. The developments occurring in these sectors in the MENA region are unprecedented and our lawyers cover vast themes for you.
The Energy and Resources focus features topics such as diversifying energy resources, solar PV, mining in the Middle East, renewable energy and green hydrogen. From a transport perspective, we draw attention to the Bahrain metro project, discuss the challenges and remedies associated with the repossession of an aircraft, and there is advice on what to consider should a party vary the terms of a shipping contract.
This edition navigates you through updates from across jurisdictions such as, Oman, Jordan, Saudi Arabia, Egypt, Iraq, Qatar, and the UAE. Each article is timely and provides insights into legal issues and cases that are affecting these sectors across the region.Read the full edition
The Kingdom of Bahrain’s Law No. 30 of 2018 promulgating the Personal Data Protection Law (‘PDPL’), which came into effect on 1, August 2019, gives data subjects resident in the Kingdom the right to object to decisions made based only on automatic processing (Article 22 of the PDPL).
The banking and finance sector is likely to be impacted by this new statutory right.
An automated process for scoring loans can calculate and score qualitative and quantitative risk factors and weigh each according to the type of loan in order to automatically generate a loan decision.
Automating loan decisions are said to be highly beneficial to the banking and finance sector as a whole for the following reasons:
While described as a ‘right to object’ to decisions based on automated processing, the right granted under Article 22 to individuals (potential borrowers in this scenario) is actually a right to request processing in a manner that is not solely automated.
Article22 (1) states, in part (in its English translation):
“If a decision is based solely on automated processing of personal data intended to assess the data subject regarding his performance at work, financial standing, credit-worthiness, reliability or conduct, then the data subject shall have the right to request processing in a manner that is not solely automated.”
Re-consideration of the automated decision by an human is obligatory in these circumstances and must be done free of charge for the data subject.
The Board of the Personal Data Protection Authority (‘Authority’) is yet to issue a regulation specifying procedures relating to the submission and processing of the request under Article 22. Although, the Minister of Justice, Islamic Affairs and Awqaf has recently been tasked under Decree No. (78) of 2019 with the duties and powers prescribed under the PDPL for the Authority to date, no regulations have been issued regarding Article 22. What remains unclear is, whether in the absence of these processes, data subjects can exercise their rights under Article 22.
Further, the right to object under Article 22 expressly does not apply “in favour of the Data Subject, where the decision is taken in the course of entering into or performance of a contract with the data subject, provided that suitable measures to safeguard his legitimate interests have been taken, such as hearing the data subject’s view.”
It is worth noting that any person who incurs damage arising from processing of their personal data by a data controller (whether by automated means or otherwise) has the right under Article 57 of the PDPL to compel the data controller to pay compensation with a view to repairing the damage.
The right to object only applies to decisions that are based solely on automated processing of personal data. Where a loan decision is not fully automated, the right does not apply.
As noted above, the Authority has not issued any guidance on the application of Article 22(2) of the PDPL. However, this PDPL provision appears to be based on Article (22)(2)(a) and 22(3) of the European
Union’s General Data Protection Regulation (EU) 2016/679 (‘GDPR’).
These equivalent GDPR provisions likely provide some guidance for interpretation of the PDPL. Under the GDPR, a data subject does not have a right to object to a decision based solely on automated means if:
Guidelines for the GDPR produced by the advisory body known as the Article 29 Working Party (or WP29), gives examples of ‘suitable measures’ that enable the data subject to obtain human intervention, express their point of view and contest the decision.
Consequently, if for example, an online bank in Bahrain is offering loans and a decision on whether or not a loan should be offered based on an algorithm is taken, it appears under the PDPL the bank should:
Banks and other financers in the Kingdom of Bahrain do not necessarily use automated loan decisions for every type of loan offering considering that numerous factors make up their business strategies and lending decisions. However, if they do make a decision based solely on an algorithm or other automated process they need to be aware that: